04-12-2008 03:58 AM - edited 03-11-2019 05:30 AM
we have an ASA configured for failover and all the interfaces are monitored and failover correctly except for one interface "inside".
The only difference is that the "inside" interface is configured with a standby address
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
The firewall seems to be set as Active/Active. Could this be the issue?
Thanks.
04-12-2008 04:30 AM
I have now removed the standby entry, but have noticed when I enter the command "Show monitor-interface" that the LAN interface does not say "(waiting)"; simply Normal.
Does this suggest it is not setup correctly?
This host: Primary - Active
Interface outside (217.112.81.130): Normal (Waiting)
Interface inside (10.102.1.1): Normal
Interface mgm (192.168.5.1): Normal (Waiting)
Other host: Secondary - Standby Ready
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal
Interface mgm (0.0.0.0): Normal (Waiting)
The "monitor-interface inside" command IS present though in the running-config.
Help i don't understand!
04-12-2008 09:33 AM
Mike,
This is not normal, this indicates there is no synch between standby unit and active unit , the interfaces are not being monitor by the standby towards the active.
What you need to do is to make sure that stanby interfaces are indeed connected on the same vlans as your Active unit interfaces vlans, after you confirm this is fine in terms of vlans configurations on the switch, issue on the Primary unit first failover then after that issue the same command on the standby unit, this sequence will make stanby to sync with primary and pools is configuration as well as become standby.
Before you do all this above read this link first carefully so that you can get a picture of what needs to be done and cover every angle to ensure you meet all requirements for Active/Standby configurations.
See the end of the link for troubleshooting tips.
If you still have problems reply to help you out.
HTH
Rgds
Jorge
04-13-2008 11:43 PM
i have no standby IP addresses configured....
the failover works fine on all the other interfaces except for "inside"
what is confusing me is that the firewall says it is set to Active/Active.
could this be why it didn't fail over when it had a Standby IP address configured?
04-14-2008 12:54 AM
i think "(Waiting)" is normal when you have no standby IP Address configured.
See below;
If you do not enter a failover IP address, the show failover command displays 0.0.0.0 for the IP address and interface monitoring remains in a waiting state. Refer to the show failover section of the Cisco Security Appliance Command Reference, Version 7.2 for more information about the different failover states.
I guess my concern is that when we had a Standby address configured on the "inside" interface it did not failover as expected when the network cable was pulled.
Could this be because of the Active/Active setting?
Help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide